Iran-backed threat group targeting Israeli shipping, says analyst


A threat group suspected of being allied to Iran has been targeting critical Israeli infrastructure, in a further sign of escalating cyberwar between the two nations, says a research company.

Mandiant spotted the threat group UNC3890 going after Israel’s shipping, aviation, healthcare, and energy sectors over the past year, using malware to launch social engineering attacks in what it believes is an effort to conduct military intelligence operations.

ADVERTISEMENT

It says it “assesses with moderate confidence” that the group “is linked to Iran, which is notable given the strong focus on shipping and the ongoing naval conflict between Iran and Israel.”

Mandiant cites as evidence Farsi words in strings of coding left by alleged UNC3890 hackers, for instance, the word “yaal” for a horse’s mane and “khoda” meaning god. Farsi or Persian is a language spoken in the west of Iran by more than half the country’s total population.

“While we believe this actor is focused on intelligence collection, the collected data may be leveraged to support various activities, from hack-and-leak, to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years,” said Mandiant.

Shipping website hacked

As an example of one cyberattack, it said it had found an authentic login page on a website from an Israeli shipping company compromised by UNC3890 into sending user data to “an attacker controlled domain.”

Mandiant says UNC3890’s activities appear to be primarily focused on Israel, with whom Iran has been fighting what some describe as a proxy war for years, and bear a resemblance to cyber-campaigns waged by other groups linked to the Islamist state.

“We identified several connections suggesting the activity is conducted by an Iran-nexus [including] focused targeting of Israeli entities and organizations, or organizations operating in Israel, consistent with other clusters of activity operated by Iranian threat actors, specifically UNC757,” said Mandiant.

Global firms doing business with Israel could also be targeted, potentially widening the scope of the cyber-conflict to involve other nations.

ADVERTISEMENT

“Even though the targeting we observed is focused on Israel, some of the entities targeted by UNC3890, especially in the shipping sector, are global companies,” said Mandiant. “Therefore, the potential impact of UNC3890 activity [...] may extend beyond Israel. The activity is consistent with historical Iranian interest in these targets.”

Tactics, techniques, and procedures used by UNC3890 include disguising malicious attacks “as legitimate login activity, legitimate services and social network applications, and technology-related visual content.”

Screenshot of picture of fake ad for a robotic doll
Screenshot of a fake advert used by suspected Iranian threat group to lure victims into parting with valuable information.

Sugary but not sweet for Israel

UNC3890’s observed toolkit includes Sugarush, a backdoor malware program that executes remote-control commands on a hacker’s behalf, and Sugardump, a credential-harvesting tool designed to collect passwords from Chromium browsers.

An upgraded version of the latter program also allows cyberattackers to exfiltrate stolen login data via Gmail, Yahoo, and Yandex email addresses. This and other malware programs operated by UNC3890 use fake adverts as lures, ranging from the mundane such as job vacancies to the bizarre – “a commercial for robotic dolls.”

Commenting on the report’s findings, John Hultquist, vice president of threat intelligence at Mandiant, said: “The shipping industry and global supply chain are particularly vulnerable to disruption, especially in places where a state of low-level conflict already exists. This is a reminder that global companies face global threats.”